The EU is at it again with sweeping new privacy laws called the Digital Services Act (DSA) that will take effect next year. Their goals are admirable, but their execution is questionable. And like when GDPR rolled out, there’s a lot of open questions.
For example, DSA requires that companies publish their Monthly Active User (MAU) counts for their EU users publicly. The reasoning is the EU wants to have a stricter set of rules for companies with more than 45 million MAU. Seems reasonable so far. However, in order to know your European MAU, you need to know which of your users are in the EU. Sure, Facebook and Google know where their users are, but most companies don’t actually have a need to track their users’ locations. You could estimate it from the user’s IP address, but that still requires going out of your way to seek that personal info, and then, most importantly, storing that data for the user. But wait a minute, storing unnecessary personal data is illegal thanks to other EU privacy regulations.
So which law should you follow? 🤷♂️
Similarly, let’s say Alice reports Bob to your service. German law requires that if Alice is based in Germany, we must notify Bob that a German user has reported them. Now continent-level granularity isn’t good enough, we need to know each user’s country. In the US, California has its own set of privacy laws, so we actually need state-level. Eventually we might need exact location data to adhere to all the laws in a user’s jurisdiction.
This is just a couple examples, there are dozens of contradictory regulations being introduced and nobody knows how they will be enforced. Will we be forced to reduce user privacy to comply with unnecessary laws? Maybe!
It’s clear the EU is writing these laws with Facebook and Google specifically in mind, without consideration for how it might impact other more responsible companies. And this is unfortunate because user privacy does need to be protected, but the current approach might just do the opposite.